Hi All, Just checking our radius servers, I noticed that Cistron radius in potato is still version 1.6.1, and I cannot see any notes of security updates for the package in the changelog.Debian.gz file.
Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix ----- Original Message ----- From: "CERT Advisory" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 05, 2002 6:43 AM Subject: CERT Advisory CA-2002-06 Vulnerabilities in Various Implementations of the > > > -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-2002-06 Vulnerabilities in Various Implementations of the > RADIUS Protocol > > Original release date: March 4, 2002 > Last revised: -- > Source: CERT/CC > > A complete revision history can be found at the end of this file. > > Systems Affected > > Systems running any of the following RADIUS implementations: > > * Ascend RADIUS versions 1.16 and prior > * Cistron RADIUS versions 1.6.5 and prior > * FreeRADIUS versions 0.3 and prior > * GnuRADIUS versions 0.95 and prior > * ICRADIUS versions 0.18.1 and prior > * Livingston RADIUS versions 2.1 and earlier > * RADIUS (previously known as Lucent RADIUS) versions 2.1 and prior > * RADIUSClient versions 0.3.1 and prior > * XTRADIUS 1.1-pre1 and prior > * YARD RADIUS 1.0.19 and prior > > Overview > > Remote Authentication Dial In User Service (RADIUS) servers are used > for authentication, authorization and accounting for terminals that > speak the RADIUS protocol. Multiple vulnerabilities have been > discovered in several implementations of the RADIUS protocol. > > I. Description > > Two vulnerabilities in various implementations of RADIUS clients and > servers have been reported to several vendors and the CERT/CC. They > are remotely exploitable, and on most systems result in a denial of > service. VU#589523 may allow the execution of code if the attacker has > knowledge of the shared secret. > > VU#589523 - Multiple implementations of the RADIUS protocol contain a > digest calculation buffer overflow > > Multiple implementations of the RADIUS protocol contain a buffer > overflow in the function that calculates message digests. > > During the message digest calculation, a string containing the > shared secret is concatenated with a packet received without > checking the size of the target buffer. This makes it possible to > overflow the buffer with shared secret data. This can lead to a > denial of service against the server. If the shared secret is known > by the attacker, then it may be possible to use this information to > execute arbitrary code with the privileges of the victim RADIUS > server or client, usually root. It should be noted that gaining > knowledge of the shared secret is not a trivial task. > > Systems Affected by VU#589523 > > * Ascend RADIUS versions 1.16 and prior > * Cistron RADIUS versions 1.6.4 and prior > * FreeRADIUS versions 0.3 and prior > * GnuRADIUS versions 0.95 and prior > * ICRADIUS versions 0.18.1 and prior > * Livingston RADIUS versions 2.1 and earlier > * RADIUS (commonly known as Lucent RADIUS) versions 2.1 and prior > * RADIUSClient versions 0.3.1 and prior > * YARD RADIUS 1.0.19 and prior > * XTRADIUS 1.1-pre1 and prior > > VU#936683 - Multiple implementations of the RADIUS protocol do not > adequately validate the vendor-length of vendor-specific attributes. > > Various RADIUS servers and clients permit the passing of > vendor-specific and user-specific attributes. Several > implementations of RADIUS fail to check the vendor-length of > vendor-specific attributes. It is possible to cause a denial of > service against RADIUS servers with a malformed vendor-specific > attribute. > > RADIUS servers and clients fail to validate the vendor-length > inside vendor-specific attributes. The vendor-length shouldn't be > less than 2. If vendor-length is less than 2, the RADIUS server (or > client) calculates the attribute length as a negative number. The > attribute length is then used in various functions. In most RADIUS > servers the function that performs this calculation is rad_recv() > or radrecv(). Some applications may use the same logic to validate > user-specific attributes and be vulnerable via the same method. > > Systems Affected by VU#936683 > > * Cistron RADIUS versions 1.6.5 and prior > * FreeRADIUS versions 0.3 and prior > * ICRADIUS versions 0.18.1 and prior > * Livingston RADIUS versions 2.1 and earlier > * YARD RADIUS 1.0.19 and prior > * XTRADIUS 1.1-pre1 and prior > > II. Impact > > Both of the vulnerabilities allow an attacker can cause a denial of > service of the RADIUS server. On some systems, VU#589523 may allow the > execution of code if the attacker has knowledge of the shared secret. > > III. Solution > > Apply a patch, or upgrade to the version specified by your vendor. > Block packets to the RADIUS server at the firewall > > Limit access to the RADIUS server to those addresses which are > approved to authenticate to the RADIUS server. Note that this does not > protect your server from attacks originating from these addresses. > > Appendix A. - Vendor Information > > This appendix contains information provided by vendors for this > advisory. When vendors report new information to the CERT/CC, we > update this section and note the changes in our revision history. If a > particular vendor is not listed below, we have not received their > comments. > > Apple > > Mac OS X and Mac OS X Server -- Not vulnerable since RADIUS is not > shipped with those products. > > Cisco > > Cisco Systems has reviewed the following products that implement > RADIUS with regards to this vulnerability, and has determined that > the following are NOT vulnerable to this issue; Cisco IOS, Cisco > Catalyst OS, Cisco Secure PIX firewall, Cisco Secure Access Control > System for Windows, Cisco Aironet, Cisco Access Registrar, and > Cisco Resource Pooling Management Service. At this time, we are not > aware of any Cisco products that are vulnerable to the issues > discussed in this report. > > Cistron > > You state 2 vulnerabilities: > 1. Digest Calculation Buffer Overflow Vulnerability Cistron Radius up > to and including 1.6.4 is vulnerable > 2. Invalid attribute length calculation on malformed Vendor-Specific > attr. Cistron Radius up to and including 1.6.5 is vulnerable > > Today I have released version 1.6.6, which also fixes (2). The > homepage is http://www.radius.cistron.nl/ on which you can also > find the ChangeLog. An announcement to the cistron-radius > mailinglist was also made today. > > So everybody should upgrade to 1.6.6. > > FreeBSD > > FreeBSD versions prior to 4.5-RELEASE (which is shipping today or > tomorrow or so) do contain some of the RADIUS packages mentioned > below: radiusd-cistron, freeradius, ascend-radius, icradius, and > radiusclient. However, 4.5-RELEASE will not ship with any of these > RADIUS packages, except radiusclient. Also, note that the > information you [CERT/CC] have forwarded previously indicates that > neither Merit RADIUS (radius-basic) nor radiusclient are > vulnerable. > > Fujitsu > > Fujitsu's UXP/V operating system is not vulnerable because UXP/V > does not support the Radius functionality. > > GnuRADIUS > > The bug was fixed in version 0.96. > > Hewlett-Packard > > We have tested our Version of RADIUS, and we are NOT vulnerable. > > IBM > > IBM's AIX operating system, all versions, is not vulnerable as we > do not ship the RADIUS project with AIX. > > Juniper Networks > > Juniper products have been tested and are not affected by this > vulnerability. > > Lucent Technologies, Inc. > > Lucent and Ascend "Free" RADIUS server Product Status > > Reiteration of product End of Life > February 14, 2002 > > The purpose of this announcement is to make official the end of > life of products based on the Livingston Enterprises RADIUS server, > and to reiterate the terms of the original license. > > Prior to the Lucent Technologies acquisition of Ascend Communications > and Livingston Enterprises, both companies distributed RADIUS servers > at no cost to their customers. The initial Livingston server was > RADIUS 1.16 followed in June 1999 by RADIUS 2.1. The Ascend server > was based on the Livingston 1.16 product with the most recent version > being released in June 1998. Lucent Technologies no longer > distributes these products, does not provide any support services for > these products, and has not done so for some time. > > All of these products were distributed as-is without warranty, > under the BSD "Open Source" license with the following terms: > > This software is provided by the copyright holders and contributors > ``as is'' and any express or implied warranties, including, but not > limited to, the implied warranties of merchantability and fitness for > a particular purpose are disclaimed. In no event shall the copyright > holder or contributors be liable for any direct, indirect, > incidental, special, exemplary, or consequential damages (including, > but not limited to, procurement of substitute goods or services; > loss of use, data, or profits; or business interruption) however > caused and on any theory of liability, whether in contract, strict > liability, or tort (including negligence or otherwise) arising in any > way out of the use of this software, even if advised of the > possibility of such damage. > > Redistribution and use in source and binary forms, with or without > modification, are permitted provided that the following conditions > are met: > > * Redistributions of source code must retain the above copyright > notice, this list of conditions and the following disclaimer. > > * Redistributions in binary form must reproduce the above copyright > notice, this list of conditions and the following disclaimer in the > documentation and/or other materials provided with the > distribution. > > * All advertising materials mentioning features or use of this > software must display the following acknowledgement: > This product includes software developed by Lucent Technologies and > its contributors. > > * Neither the name of the copyright holder nor the names of its > contributors may be used to endorse or promote products derived > from this software without specific prior written permission. > > Under this license, other parties are free to develop and release > other products and versions. However, as noted in the license terns, > Lucent Technologies can not and does not assume any responsibility > for any releases, present or future, based on these products. > > Replacement Product > > The replacement product is NavisRadius 4.x. NavisRadius is a fully > supported commercial product currently available from Lucent > Technologies. Please visit the NavisRadius product web site at > http://www.lucentradius.com for product information and free > evaluation copies. > > Richard Perlman > NavisRadius Product Management > Network Operations Software > [EMAIL PROTECTED] > +1 510-747-5650 > > > > Microsoft > > We've completed our investigation into this issue based on the > information provided and have determined that no version of > Microsoft IAS is susceptible to either vulnerability. > > NetBSD > > Some of the affected radius daemons are available from NetBSD > pkgsrc. It is highly advisable that you update to the latest > versions available from pkgsrc. Also note that > pkgsrc/security/audit-packages can be used to notify you when new > pkgsrc related security issues are announced. > > Process Software > > MultiNet and TCPware do not provide a RADIUS implementation. > > RADIUS (previously known as Lucent RADIUS) > > I wish to advise that Lucent Radius 2.1 is vulnerable to VU#589523, > but is not vulnerable to VU#936683. > > I have made an unofficial patch to this code to resolve this > problem. It will be released in ftp://ftp.vergenet.net/pub/radius/ > where previous patches to Radius by myself are available. > > RADIUSClient > > I've just uploaded version 0.3.2 of the radiusclient library to > ftp://ftp.cityline.net/pub/radiusclient/radiusclient-0.3.2.tar.gz > which contains a fix for the reported buffer overflow. > > Red Hat > > We do not ship any radius software as part of any of our main > operating system. However, Cistron RADIUS was part of our > PowerTools add-on software CD from versions 5.2 through 7.1. Thus > while not installed by default, some users of Red Hat Linux may be > using Cistron RADIUSD. Errata packages that fix this problem and > our advisory will be available shortly on our web site at the URL > below. At the same time users of the Red Hat Network will be able > to update their systems to patched versions using the up2date tool. > > http://www.redhat.com/support/errata/RHSA-2002-030.html > > SCO > > The Caldera NON-Linux operating systems: OpenServer, UnixWare, and > Open UNIX, do not ship Radius servers or clients. > > SGI > > SGI does not ship with a RADIUS server or client, so we are not > vulnerable to these issues. > > Wind River Systems > > The current RADIUS client product from Wind River Systems, WindNet > RADIUS 1.1, is not susceptible to VU#936683 and VU#589523 in our > internal testing. > > VU#936683 - WindNet RADIUS will pass the packet up to the > application. The application may need to be aware of the invalid > attribute length. > > VU#589523 - WindNet RADIUS will drop the packet overflow. > > Please contact Wind River support at [EMAIL PROTECTED] or call > (800) 458-7767 with any test reports related to VU#936683 and > VU#589523. > > XTRADIUS > > We are trying to relase a new and fixed version of xtradius by the > end of the month (version 1.2.1).. Right now the new version is on > the CVS and we are testing it... > > YARD RADIUS > > Current version 1.0.19 of Yardradius (which is derived from Lucent > 2.1) seems suffering both the problems. I think I will release a > new version (1.0.20) which solves those buffer overflows before > your suggested date [3/4/2002]. > _________________________________________________________________ > > Our thanks to 3APA3A <[EMAIL PROTECTED]> and Joshua Hill and for > their cooperation, reporting and analysis of this vulnerability. > _________________________________________________________________ > > Feedback about this Advisory can be sent to the author, > Jason A. Rafail. > _________________________________________________________________ > > Appendix B. - References > > 1. http://www.kb.cert.org/vuls/id/589523 > 2. http://www.kb.cert.org/vuls/id/936683 > 3. http://www.security.nnov.ru/advisories/radius.asp > 4. http://www.untruth.org/~josh/security/radius > 5. http://www.securityfocus.com/bid/3530 > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2002-06.html > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: [EMAIL PROTECTED] > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > EDT(GMT-4) Monday through Friday; they are on call for emergencies > during other hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site > > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and bulletins, > send email to [EMAIL PROTECTED] Please include in the body of your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2002 Carnegie Mellon University. > > Revision History > March 04, 2002: Initial release > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > > iQCVAwUBPIPKVaCVPMXQI2HJAQFfUwQAq41ely7YkhdKYYM+YdjyGPpbMMqzi8Cb > 7mEOX8HByLfVQL4e5wnrJOrIhRvX2jCvDMC6KCfPBR8VQ9DZz6hmj1XqUX6TH1EN > T+9SnRCSxuRs8NtkBEWAYrHletfQ02C3v6As85Lqxl7nbYmXt3QrF88T+WNpv3r7 > AD7ZeRPeYdI= > =wtUX > -----END PGP SIGNATURE----- > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]